Using Private Registries


#1

Using Private Registries With Replicated

As covered in the documentation, Replicated supports private images by configuring a connection to the private registry where they reside.

General Steps

To configure the connection, go to Images and click on Add External Registry:

Generally speaking, the endpoint will be the same endpoint you would use to run docker login.
When connecting to a private registry, the syntax to login is:


$ docker login ADDRESS:PORT

And to pull any images, the syntax is:


$ docker pull [OPTIONS] ADDRESS:PORT[/PATH]/IMAGE_NAME[:TAG]

So for example, to login to some private registry I would run something like:


$ docker login registry.example.com:5000

And to pull an image from this registry I would run something like:


$ docker pull registry.example.com:5000/projects/app-image

So in the example above, the endpoint would be registry.example.com:5000.

The values for the username and password fields will depend on the registry.

Below are instructions for some of the most common registries but for those that are not listed, a good rule of thumb is to provide the same values when running docker login.

Once Replicated and the Private Registry have been linked, you may need to update any defintion files to now pull images from this registry.

Amazon Elastic Container Registry (ECR)

To connect the Replicated Vendor Portal with Amazon ECR, you will need the following:

Endpoint: <aws_account_id>.dkr.ecr..amazonaws.com

Username: AWS Access Key ID

Password: AWS Secret Key

The AWS Access Key ID and AWS Secret Key must be from a user with enough permissions to pull the nescessary images.
If having permissions to pull images from all repositories is OK, then using the Amazon-provided AmazonEC2ContainerRegistryReadOnly policy will suffice.

If you’d like to further limit the scope of which images the user is able to pull, please review this article.

Google Container Registry (GCR)

To connect the Replicated Vendor Portal with GCR, you will need the following:

Endpoint: gcr.io/<gcp_project_id>

Username: _json_file

Password: <contents of JSON key file>

The JSON key file must be from a Service Account that has the Storage Object Viewer role:

To create the JSON key file, open the user record and select ADD KEY as shown below:

Copy the entire contents of the file and paste them into the Password field. Set the Username field to _json_file.

Other Registries

For registries not listed here, please refer to the General Steps section.